<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta content="IE=edge" http-equiv="X-UA-Compatible">
    <meta content="width=device-width, initial-scale=1" name="viewport">
    <title>Backdoor planted in PHP Git repository after server hack | The Daily Swig</title>

    
<script nonce="C//gpoUrYVk8XZP3LknxDxvcJoUvrImY">
    const dimensionName = "dimension2";
    const userRef = "";
</script>

    <meta content="Scripting language falls victim to cyber-attack" name="description">
    
<!-- Twitter data -->
    <meta name="twitter:card" content="summary_large_image">
    <meta name="twitter:site" content="@DailySwig">
<meta name="twitter:title" content="Backdoor planted in PHP Git repository after server hack">
    <meta name="twitter:description" content="Scripting language falls victim to cyber-attack">
    <meta name="twitter:creator" content="@JesscaHaworth">
<meta name="twitter:image" content="https://portswigger.net/cms/images/be/3e/4a50-twittercard-210329-php-body-text-1200.jpg">

<!-- Open Graph data -->
<meta property="og:title" content="Backdoor planted in PHP Git repository after server hack" />
    <meta property="og:description" content="Scripting language falls victim to cyber-attack">
<meta property="og:type" content="article" />
<meta property="og:url" content="https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack" />
<meta property="og:image" content="https://portswigger.net/cms/images/be/3e/4a50-twittercard-210329-php-body-text-1200.jpg" />
    <meta property="og:site_name" content="The Daily Swig | Cybersecurity news and views" />
    <meta property="article:published_time" content="2021-03-29T12:00:40" />

    <link href="https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack" rel="canonical"/>

        <link href="https://portswigger.net/daily-swig/amp/backdoor-planted-in-php-git-repository-after-server-hack" rel="amphtml"/>

    <link href="/content/images/logos/favicon.ico" rel="icon" type="image/x-icon"/>
    <link href="/content/images/logos/apple-touch-icon.png" rel="apple-touch-icon">
    <link href="/content/psdailyswig.css?v=jSgDMpQsotICfDI0OFAGpL7Z6Ck" rel="stylesheet" type="text/css">
    <link rel="preload" href="/Content/Fonts/ps-icons-small/ps-icons-small.woff?td2uot" as="font" crossorigin="anonymous">
<link rel="preload" href="/Content/Fonts/ps-main/ps-icons.woff?l1la2n" as="font" crossorigin="anonymous">
</head>
<body class="theme-dailyswig">
    

<section class="banner-container dailyswig" id="top">
    <div class="container">
        <div class="linkscontainer-left" id="portswigger-logo-container">
            <a class="is-icon light-blue-hover" href="/" >
                <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18">
    <path d="M0 0h18v18H0z" fill="#f63"/>
    <path d="M10 18H8v-2.8l2.7-3.3H8V8H3.3l4.8-5.8V0H10v2.9L7.3 6H10V10h4.7L10 15.8z" fill="#fff"/>
</svg>
            </a>
        </div>
        <div class="linkscontainer" id="icons-container">
            <a class="aboutlink" href="/daily-swig/about" ></a>
            <a class="is-icon light-blue-hover" href="https://twitter.com/DailySwig" >
                <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 19.998">
    <path d="M22.245,2.835a3.066,3.066,0,0,1-.923.118v-.1A7.616,7.616,0,0,0,23.169.663c.074-.254,0-.336,0-.345L21.608,1l-1.293.609h0A5.128,5.128,0,0,0,16.52,0a4.69,4.69,0,0,0-4.913,4.416A7.015,7.015,0,0,0,11.8,6.078c0,.127,0-.127,0,0A14.883,14.883,0,0,1,5.818,4.261C1.847,2.208,1.625.79,1.625.79,1.007,1.462.7,3.7,1.321,5.451A5.728,5.728,0,0,0,3.1,7.578h0A4.094,4.094,0,0,1,1.847,7.36a2.715,2.715,0,0,1-.923-.445c-.379.963.388,2.726,1.727,3.916A7.026,7.026,0,0,0,4.839,12l-2.216.064c-.12,2.217,4.525,3.526,4.525,3.526h0A7.457,7.457,0,0,1,2.53,17.327,8.651,8.651,0,0,1,0,16.946,11.857,11.857,0,0,0,8.237,19.99c8.311-.445,12.974-7.769,13.2-14.956h0a5.9,5.9,0,0,0,1.219-1.054A8.831,8.831,0,0,0,24,2.162,13.006,13.006,0,0,1,22.245,2.835Z"
          transform="translate(0 0.005)" fill="#324d5c"/>
</svg>
            </a>
            <a class="is-icon light-blue-hover" href="https://www.facebook.com/DailySwig/" >
                <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20">
    <path d="M19.091,0H.909A.909.909,0,0,0,0,.909V19.091A.909.909,0,0,0,.909,20h9.764V12.291H8.091V9.227h2.582V6.836a4.064,4.064,0,0,1,4.055-4.064h2.191v3.2H14.727a.855.855,0,0,0-.855.864V9.227h3.045l-.473,3.064H13.873V20h5.218A.909.909,0,0,0,20,19.091V.909A.909.909,0,0,0,19.091,0Z"
          fill="#324d5c"/>
</svg>
            </a>
            <a class="is-icon light-blue-hover" href="https://www.linkedin.com/company/the-daily-swig" >
                <svg xmlns="http://www.w3.org/2000/svg" width="20" height="24" viewBox="0 0 24 24">
    <path fill="#324d5c" d="M0 0v24h24v-24h-24zm8 19h-3v-11h3v11zm-1.5-12.268c-.966 0-1.75-.79-1.75-1.764s.784-1.764 1.75-1.764 1.75.79 1.75 1.764-.783 1.764-1.75 1.764zm13.5 12.268h-3v-5.604c0-3.368-4-3.113-4 0v5.604h-3v-11h3v1.765c1.397-2.586 7-2.777 7 2.476v6.759z"/>
</svg>
            </a>
            <a class="is-icon light-blue-hover" href="mailto:dailyswig@portswigger.net" >
                <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 29 20">
    <path d="M14.312,11.14,1.41,0H27.866L14.973,11.14A.506.506,0,0,1,14.312,11.14Z" transform="translate(-0.129)"
          fill="#324d5c"/>
    <path d="M2.39,16.786,0,18.84V1.43l10.1,8.7Z" transform="translate(0 -0.131)" fill="#324d5c"/>
    <path d="M24.487,18.123l3.452,2.989H1.42l3.869-3.344,6.342-5.452,1.658,1.436,1.06.909a.506.506,0,0,0,.661,0l1.06-.909,1.694-1.463Z"
          transform="translate(-0.13 -1.113)" fill="#324d5c"/>
    <path d="M30.99,1.45v17.3l-1.863-1.609L20.95,10.105Z" transform="translate(-1.99 -0.132)" fill="#324d5c"/>
</svg>
            </a>
            <a class="is-icon light-blue-hover" href="/daily-swig/rss" >
                <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20">
    <path d="M16.173,20H20A20,20,0,0,0,14.136,5.864,20,20,0,0,0,0,0V3.818A16.209,16.209,0,0,1,16.173,20Z"
          transform="translate(0)" fill="#324d5c" fill-rule="evenodd"/>
    <path d="M0,11.3a9.3,9.3,0,0,1,6.615,2.726,9.368,9.368,0,0,1,2.726,6.624h3.834A13.193,13.193,0,0,0,9.3,11.324,13.157,13.157,0,0,0,0,7.48Z"
          transform="translate(0 -0.673)" fill="#324d5c" fill-rule="evenodd"/>
    <path d="M.781,20.669A2.622,2.622,0,1,0,0,18.8a2.626,2.626,0,0,0,.781,1.872Z" transform="translate(0 -1.468)"
          fill="#324d5c" fill-rule="evenodd"/>
</svg>
            </a>
        </div>
        <div class="titlecontainer">
            <a class="banner-main" href="/daily-swig" >
                <img alt="The Daily Swig" src="/content/images/banners/the-daily-swig-logo.svg"/>
            </a>
        </div>
    </div>
</section>

  <div class="mega-nav-dailyswig-wrapper">
    <input type="checkbox" id="daily-swig-hamburger-mobile" class="hamburger-input-mobile">
    <div class="hamburger-menu-mobile">
          <label class="hamburger-menu-label header-hidden" for="daily-swig-hamburger-mobile">
            <span class="hamburger-layers"></span>
          </label>
        </div>
        <div class="mega-nav">
          <input type="radio" id="daily-swig-mega-nav-close" class="mega-nav-input-close" name="daily-swig-mega-nav-input">
          <input type="radio" id="daily-swig-mega-nav-label-1" class="mega-nav-input-1" name="daily-swig-mega-nav-input">
          <input type="radio" id="daily-swig-mega-nav-label-2" class="mega-nav-input-2" name="daily-swig-mega-nav-input">
          <input type="radio" id="daily-swig-mega-nav-label-3" class="mega-nav-input-3" name="daily-swig-mega-nav-input">
          <input type="radio" id="daily-swig-mega-nav-label-4" class="mega-nav-input-4" name="daily-swig-mega-nav-input">
          <input type="radio" id="daily-swig-mega-nav-label-5" class="mega-nav-input-5" name="daily-swig-mega-nav-input">
          <input type="radio" id="daily-swig-mega-nav-label-6" class="mega-nav-input-6" name="daily-swig-mega-nav-input">
          <input type="radio" id="daily-swig-mega-nav-label-7" class="mega-nav-input-7" name="daily-swig-mega-nav-input">
    
          <label for="daily-swig-mega-nav-close" class="mega-nav-close"></label>
    
          <label class="mega-nav-label mega-nav-label-1" for="daily-swig-mega-nav-label-1">
            <span class="mega-nav-text">Regions</span>
            <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43">
              <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path>
            </svg>
          </label>
          <label class="mega-nav-label mega-nav-label-2" for="daily-swig-mega-nav-label-2">
            <span class="mega-nav-text">Hacking News</span>
            <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43">
              <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path>
            </svg>
          </label>
          <label class="mega-nav-label mega-nav-label-3" for="daily-swig-mega-nav-label-3">
            <span class="mega-nav-text">Data Breaches</span>
            <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43">
              <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path>
            </svg>
          </label>
          <label class="mega-nav-label mega-nav-label-4" for="daily-swig-mega-nav-label-4">
            <span class="mega-nav-text">Cyber-attacks</span>
            <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43">
              <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path>
            </svg>
          </label>
          <label class="mega-nav-label mega-nav-label-5" for="daily-swig-mega-nav-label-5">
            <span class="mega-nav-text">Vulnerabilities</span>
            <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43">
              <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path>
            </svg>
          </label>
          <label class="mega-nav-label mega-nav-label-6" for="daily-swig-mega-nav-label-6">
            <span class="mega-nav-text">Bug Bounties</span>
            <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43">
              <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path>
            </svg>
          </label>
          <label class="mega-nav-label mega-nav-label-7" for="daily-swig-mega-nav-label-7">
            <span class="mega-nav-text">More</span>
            <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43">
              <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path>
            </svg>
          </label>
          <a class="mega-nav-link header-hidden" href="https://portswigger.net/daily-swig/about"><span class="mega-nav-text">About</span></a>
   
          <div class="mega-nav-container">
    
            <div class="mega-nav-content mega-nav-content-1">
              <div class="section-white-medium-no-padding">
                <div class="container-columns-66-percent-right">
                  <div>
                    <div class="container-columns">
                      <a href="https://portswigger.net/daily-swig/africa" class="no-border">Africa</a>
                      <a href="https://portswigger.net/daily-swig/asia" class="no-border">Asia</a>
                      <a href="https://portswigger.net/daily-swig/europe" class="no-border">Europe</a>
                      <a href="https://portswigger.net/daily-swig/middle-east" class="no-border">Middle East</a>
                      <a href="https://portswigger.net/daily-swig/latin-america" class="no-border">Latin America</a>
                      <a href="https://portswigger.net/daily-swig/north-america" class="no-border">North America</a>
                      <a href="https://portswigger.net/daily-swig/oceania" class="no-border">Oceania</a>
    
                    </div>
                    <a href="https://portswigger.net/daily-swig/us" class="chevron-after">View all US news</a>
                  </div>
    
                  <div>
                    <div class="container-cards-lists-white">
                      <a href="https://portswigger.net/daily-swig/iranian-cyber-threat-groups-make-up-for-lack-of-technical-sophistication-with-social-engineering-trickery">
                        <p><strong>APT focus</strong></p>
                        <p>Take a closer look at Iran’s state-sponsored hacking groups</p>
                        <img src="/daily-swig-mega-nav/images/regions.jpg" alt="Regions">
                      </a>
                    </div>
    
                  </div>
    
    
                </div>
              </div>
            </div>
            <div class="mega-nav-content mega-nav-content-2">
              <div class="section-white-medium-no-padding">
                <div class="container-columns-66-percent-right">
                  <div>
                    <div class="container-small">
                      <a href="https://portswigger.net/daily-swig/hacking-news" class="no-border">Latest Hacking News</a>
    
                      <a href="https://portswigger.net/daily-swig/hacking-news" class="no-border">Hacking Tools</a>
    
                      <a href="https://portswigger.net/daily-swig/hacking-techniques" class="no-border">Hacking Techniques</a>
    
                      <a href="https://portswigger.net/daily-swig/pen-testing" class="no-border">Pen Testing</a>
    
                      <a href="https://portswigger.net/daily-swig/cloud-security" class="no-border">Cloud Security</a>
    
                      <a href="https://portswigger.net/daily-swig/database-security" class="no-border">Database Security</a>
    
                      <a href="https://portswigger.net/daily-swig/email-security" class="no-border">Email Security</a>
    
                      <a href="https://portswigger.net/daily-swig/network-security" class="no-border">Network Security</a>
    
                    </div>
                    <a href="https://portswigger.net/daily-swig/hacking-news" class="chevron-after">View all hacking news</a>
                  </div>
    
                  <div>
                    <div class="container-cards-lists-white">
                      <a href="https://portswigger.net/daily-swig/human-error-bugs-increasingly-making-a-splash-in-hacker-powered-pen-tests-nbsp-report">
                        <p><strong>Hacker-powered security</strong></p>
                        <p>Human error bugs increasingly making a splash, study indicates</p>
                        <img src="/daily-swig-mega-nav/images/hacking.png" alt="Hacking news">
                      </a>
                    </div>
    
                  </div>
    
    
                </div>
              </div>
            </div>
            <div class="mega-nav-content mega-nav-content-3">
              <div class="section-white-medium-no-padding">
                <div class="container-columns-66-percent-right">
                  <div>
                    <div class="container-columns">
                      <a href="https://portswigger.net/daily-swig/data-breach" class="no-border">Latest Data Breaches</a>
                      <a href="https://portswigger.net/daily-swig/data-leak" class="no-border">Data Leak</a>
                      <a href="https://portswigger.net/daily-swig/organizations" class="no-border">Organizations</a>
                      <a href="https://portswigger.net/daily-swig/enterprise" class="no-border">Enterprise Security</a>
                    </div>
                    <a href="https://portswigger.net/daily-swig/data-breach" class="chevron-after">View all data breach news</a>
                  </div>
    
                  <div>
                    <div class="container-cards-lists-white">
                      <a href="https://portswigger.net/daily-swig/software-supply-chain-attacks-everything-you-need-to-know">
                        <p><strong>In focus</strong></p>
                        <p>Software supply chain attacks – everything you need to know</p>
                        <img src="/daily-swig-mega-nav/images/breaches.png" alt="Data Breaches">
                      </a>
                    </div>
    
                  </div>
    
    
                </div>
              </div>
            </div>
            <div class="mega-nav-content mega-nav-content-4">
              <div class="section-white-medium-no-padding">
                <div class="container-columns-66-percent-right">
                  <div>
                    <div class="container-small">
                      <a href="https://portswigger.net/daily-swig/cyber-attacks" class="no-border">Latest Cyber-attacks</a>
    
                      <a href="https://portswigger.net/daily-swig/cybercrime" class="no-border">Cybercrime</a>
    
                      <a href="https://portswigger.net/daily-swig/cyber-warfare" class="no-border">Cyber Warfare</a>
    
                      <a href="https://portswigger.net/daily-swig/ddos" class="no-border">DDoS Attacks</a>
    
                      <a href="https://portswigger.net/daily-swig/supply-chain-attacks" class="no-border">Supply Chain Attacks</a>
    
                    </div>
                    <a href="https://portswigger.net/daily-swig/cyber-attacks" class="chevron-after">View all cyber-attack news</a>
                  </div>
    
                  <div>
                    <div class="container-cards-lists-white">
                      <a href="https://portswigger.net/daily-swig/beyond-lazarus-north-korean-cyber-threat-groups-become-top-tier-reckless-adversaries">
                        <p><strong>Special report</strong></p>
                        <p>North Korean cyber-threat groups become top-tier adversaries</p>
                        <img src="/daily-swig-mega-nav/images/cyberattacks.jpg" alt="Cyber Attacks">
                      </a>
                    </div>
    
                  </div>
    
    
                </div>
              </div>
            </div>
            <div class="mega-nav-content mega-nav-content-5">
              <div class="section-white-medium-no-padding">
                <div class="container-columns-66-percent-right">
                  <div>
                    <div class="container-small">
                      <a href="https://portswigger.net/daily-swig/vulnerabilities" class="no-border">Latest Vulnerabilities</a>
    
                      <a href="https://portswigger.net/daily-swig/zero-day" class="no-border">Zero-Day News</a>
    
                      <a href="https://portswigger.net/daily-swig/rce" class="no-border">RCE</a>
    
                      <a href="https://portswigger.net/daily-swig/xss" class="no-border">XSS</a>
    
                      <a href="https://portswigger.net/daily-swig/sql-injection" class="no-border">SQL Injection</a>
    
                      <a href="https://portswigger.net/daily-swig/ssrf" class="no-border">SSRF</a>
    
                      <a href="https://portswigger.net/daily-swig/csrf" class="no-border">CSRF</a>
    
                      <a href="https://portswigger.net/daily-swig/xs-leak" class="no-border">XS Leaks</a>
    
                    </div>
                    <a href="https://portswigger.net/daily-swig/vulnerabilities" class="chevron-after">View all security vulnerability news</a>
                  </div>
    
                  <div>
                    <div class="container-cards-lists-white">
                      <a href="https://portswigger.net/daily-swig/how-expired-web-domains-help-criminal-hackers-unlock-enterprise-defenses">
                        <p><strong>What’s in a (domain) name?</strong></p>
                        <p>How expired web domains are helping criminal hacking campaigns</p>
                        <img src="/daily-swig-mega-nav/images/vulnerabilities.png" alt="Vulnerabilities">
                      </a>
                    </div>
    
                  </div>
    
    
                </div>
              </div>
            </div>
            <div class="mega-nav-content mega-nav-content-6">
              <div class="section-white-medium-no-padding">
                <div class="container-columns-66-percent-right">
                  <div>
                    <div class="container-columns">
                      <a href="https://portswigger.net/daily-swig/bug-bounty" class="no-border">Bug Bounty News</a>
    
                      <a href="https://portswigger.net/daily-swig/vdp" class="no-border">VDP News</a>
    
                      <a href="https://portswigger.net/daily-swig/research" class="no-border">Research</a>
    
                      <a href="https://portswigger.net/daily-swig/osint" class="no-border">OSINT</a>
    
                    </div>
                    <a href="https://portswigger.net/daily-swig/bug-bounty" class="chevron-after">View all bug bounty news</a>
                  </div>
    
                  <div>
                    <div class="container-cards-lists-white">
                      <a href="https://portswigger.net/daily-swig/bug-bounty-radar-the-latest-bug-bounty-programs-for-december-2021">
                        <p><strong>Bug Bounty Radar</strong></p>
                        <p>The latest programs for December 2021</p>
                        <img src="/daily-swig-mega-nav/images/bug-bounties.png" alt="Bug bounties">
                      </a>
                    </div>
    
                  </div>
    
    
                </div>
              </div>
            </div>
            <div class="mega-nav-content mega-nav-content-7">
              <div class="section-white-medium-no-padding">
                <div class="container-columns-66-percent-right">
                  <div>
                    <div class="container-small">
                      <a href="https://portswigger.net/daily-swig/interviews" class="no-border">Interviews</a>
                      <a href="https://portswigger.net/daily-swig/analysis" class="no-border">Analysis</a>
                      <a href="https://portswigger.net/daily-swig/research" class="no-border">Research</a>
                      <a href="https://portswigger.net/daily-swig/deep-dives" class="no-border">Deep Dives</a>
                      <a href="https://portswigger.net/daily-swig/browsers" class="no-border">Browsers</a>
                      <a href="https://portswigger.net/daily-swig/ransomware" class="no-border">Ransomware</a>
                      <a href="https://portswigger.net/daily-swig/phishing" class="no-border">Phishing</a>
                      <a href="https://portswigger.net/daily-swig/malware" class="no-border">Malware</a>
                      <a href="https://portswigger.net/daily-swig/encryption" class="no-border">Encryption</a>
                      <a href="https://portswigger.net/daily-swig/privacy" class="no-border">Privacy</a>
                      <a href="https://portswigger.net/daily-swig/mobile" class="no-border">Mobile</a>
                      <a href="https://portswigger.net/daily-swig/iot" class="no-border">IoT</a>
                      <a href="https://portswigger.net/daily-swig/policy-and-legislation" class="no-border">Policy and Legislation</a>
                      <a href="https://portswigger.net/daily-swig/machine-learning" class="no-border">Machine learning</a>
                      <a href="https://portswigger.net/daily-swig/dns" class="no-border">DNS</a>
                      <a href="https://portswigger.net/daily-swig/open-source-software" class="no-border">Open Source</a>
                      <a href="https://portswigger.net/daily-swig/hardware" class="no-border">Hardware</a>
                      <a href="https://portswigger.net/daily-swig/authentication" class="no-border">Authentication</a>
                      <a href="https://portswigger.net/daily-swig/events" class="no-border">Events</a>
    
                    </div>
                    <a href="https://portswigger.net/daily-swig/industry-news" class="chevron-after">View all infosec industry news</a>
                  </div>
    
                  <div>
                    <div class="container-cards-lists-white">
                      <a href="https://portswigger.net/daily-swig/cybersecurity-conferences-2021-a-schedule-of-virtual-and-potentially-in-person-or-hybrid-events">
                        <p><strong>Cybersecurity conferences</strong></p>
                        <p>A schedule of events in 2021 and beyond</p>
                        <img src="/daily-swig-mega-nav/images/more-topics.jpg" alt="More topics">
                      </a>
                    </div>
    
                  </div>
    
    
                </div>
              </div>
            </div>
   
          </div>
    
        </div>
   </div>
  
    


<input id="MediaId" name="MediaId" type="hidden" value="0140FD8FC26787A5D053E07AA98FA634" />


<section class="maincontainer dailyswig">
    <div class="container is-flex margin-bottom-m">
        <div class="maincol">
            <div class="post-card">
                
<h1>Backdoor planted in PHP Git repository after server hack</h1>
                
                <div class="post-additionalinfo">
                    
<a href="/daily-swig/by/jessica-haworth">
    Jessica Haworth</a>

29 March 2021 at 12:00 UTC

    <br>
    Updated: 30 March 2021 at 12:30 UTC

                </div>
                <div class="post-labels">
                    
            <a href="/daily-swig/php">
                <span>PHP</span></a>
            <a href="/daily-swig/rce">
                <span>RCE</span></a>
            <a href="/daily-swig/cyber-attacks">
                <span>Cyber-attacks</span></a>

                </div>
                

<div class="sharebuttoncontainer is-smallicons">
    <a href="https://twitter.com/share?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fbackdoor-planted-in-php-git-repository-after-server-hack&text=Backdoor+planted+in+PHP+Git+repository+after+server+hack+%7c+The+Daily+Swig%0A" target="_blank" init-ga-click data-ga-click-label="twitter">
        <span class="share-twitter ">
            <span class="share-icon icon-ps-twitter"></span>
            <span class="share-text">Twitter</span>
        </span>
    </a>
    <a href="https://api.whatsapp.com/send?text=https%3a%2f%2fportswigger.net%2fdaily-swig%2fbackdoor-planted-in-php-git-repository-after-server-hack" target="_blank" init-ga-click data-ga-click-label="whatsapp">
        <span class="share-whatsapp ">
            <span class="share-icon icon-ps-whatsapp"></span>
            <span class="share-text">WhatsApp</span>
        </span>
    </a>
    <a href="https://www.facebook.com/sharer.php?u=https%3a%2f%2fportswigger.net%2fdaily-swig%2fbackdoor-planted-in-php-git-repository-after-server-hack" target="_blank" init-ga-click data-ga-click-label="facebook">
        <span class="share-facebook ">
            <span class="share-icon icon-ps-facebook"></span>
            <span class="share-text">Facebook</span>
        </span>
    </a>
    <a href="https://reddit.com/submit?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fbackdoor-planted-in-php-git-repository-after-server-hack" target="_blank" init-ga-click data-ga-click-label="reddit">
        <span class="share-reddit ">
            <span class="share-icon icon-ps-reddit"></span>
            <span class="share-text">Reddit</span>
        </span>
    </a>
    <a href="https://www.linkedin.com/shareArticle?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fbackdoor-planted-in-php-git-repository-after-server-hack" target="_blank" init-ga-click data-ga-click-label="linkedin">
        <span class="share-linkedin ">
            <span class="share-icon icon-ps-linkedin"></span>
            <span class="share-text">LinkedIn</span>
        </span>
    </a>
    <a href="mailto:?subject=Backdoor+planted+in+PHP+Git+repository+after+server+hack+%7c+The+Daily+Swig&body=Backdoor+planted+in+PHP+Git+repository+after+server+hack+%7c+The+Daily+Swig%0A%0AScripting+language+falls+victim+to+cyber-attack%0A%0Ahttps://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack" init-ga-click data-ga-click-label="email">
        <span class="share-email ">
            <span class="share-icon icon-ps-email"></span>
            <span class="share-text">Email</span>
        </span>
    </a>
</div>
                <div class="post-content">
                    <!-- Article Start -->
                    <p class="standfirst">Scripting language falls victim to cyber-attack</p><p><img src="/cms/images/be/3e/4a50-article-210329-php-body-text-1200.jpg" alt="The PHP Git repository has been compromised after attackers planted a backdoor in its source code" title="Image: PortSwigger Ltd"><br></p><p>An unknown actor <a href="https://portswigger.net/daily-swig/cyber-attacks" target="_blank">compromised</a> the official PHP Git repository last night (March 28), pushing backdoored code under the guise of a minor edit.</p><p>The malicious attacker pushed two commits to the <span class="codeextract">php-src</span> repo for the popular scripting language that contained a backdoor allowing for <a href="https://portswigger.net/daily-swig/rce" target="_blank">remote code execution </a>(RCE), maintainers revealed.</p><p>PHP is thought to underpin almost 80% of websites, according to <a href="https://w3techs.com/technologies/details/pl-php" target="_blank">a study</a> by Web Technology Surveys. This includes all WordPress sites, which are built on PHP.</p><p>It is so far unknown who the perpetrator was or how they were able to publish the commits, since they were uploaded under legitimate maintainers’ names.</p><p>However, it is known that the malicious actor pushed the changes under an upstream named ‘fix typo’, apparently trying to cover their tracks by claiming they were making minor changes to the code.</p><p><br></p><p class="text-center"><a href="https://portswigger.net/daily-swig/rce" target="_blank" class="bold">Read more of the latest news about remote code execution</a></p><p><br>Digging deeper, the code actually planted a backdoor that opened the door for the remote takeover of any website that uses PHP.</p><p>Maintainer Nikita Popov wrote in <a href="https://news-web.php.net/php.internals/113838" target="_blank">a statement</a> that they believe attackers found a way in through compromise of the git.php.net server rather than any individual account.</p><p>The team behind PHP has discontinued the git.php.net server and the repositories on <a href="https://portswigger.net/daily-swig/github" target="_blank">GitHub</a>, which were previously only mirrors, will become canonical, they said.</p><p>This means that changes should be pushed directly to GitHub rather than to git.php.net.</p><p>Maintainers are now reviewing the repositories for any signs of further compromise.</p><h3>Mistaken identity</h3><p>The malicious code includes reference to ‘Zerodium’, a US company known for buying <a href="https://portswigger.net/daily-swig/zero-day" target="_blank">zero-day</a> exploits.</p><p>This has <a href="https://twitter.com/orange_8361/status/1376452456301744129" target="_blank">sparked conversation</a> online as the cybersecurity community scrambles to determine who is behind the attack.</p><p>Twitter user @LiveOverflow suggested that the mention could be a joke, tweeting: “What’s your guess regarding the “Zerodium” reference? Just a joke? Or maybe talking about the root bug that lead [SIC] to the repo compromise?”</p><p><br></p><p class="text-center"><span class="bold">READ</span> <a href="https://portswigger.net/daily-swig/php-removed-from-internet-bug-bounty-program-but-scripting-language-custodians-were-never-involved-from-the-outset" target="_blank">PHP removed from Internet Bug Bounty program – but scripting language custodians were ‘never involved’ from the outset</a></p><p><br>Zerodium CEO Chaouki Bekrar shut down rumors that it was involved, instead pointing to the real attackers as being “trolls”.</p><p>They <a href="https://twitter.com/cBekrar/status/1376469666084757506" target="_blank">wrote</a>: “Cheers to the troll who put ‘Zerodium’ in today’s PHP git compromised commits. Obviously, we have nothing to do with this.</p><p>“Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun.”</p><p>An investigation is still underway with no confirmed reports pointing to the identity of the attacker.</p><p><span class="italic">The Daily Swig</span> has reached out to Popov for comment and will update this article accordingly.</p><p><br><span class="bold">YOU MAY ALSO LIKE</span> <a href="https://portswigger.net/daily-swig/github-awards-bug-bounty-hunter-25-000-for-actions-secrets-theft-report" target="_blank">GitHub awards bug bounty hunter $25,000 for Actions secrets theft report</a></p><p></p><p></p><p></p>
                    <!-- Article End -->
                </div>
                <div class="post-labels">
                    
            <a href="/daily-swig/php">
                <span>PHP</span></a>
            <a href="/daily-swig/rce">
                <span>RCE</span></a>
            <a href="/daily-swig/cyber-attacks">
                <span>Cyber-attacks</span></a>
            <a href="/daily-swig/github">
                <span>GitHub</span></a>
            <a href="/daily-swig/open-source-software">
                <span>Open Source Software</span></a>
            <a href="/daily-swig/secure-development">
                <span>Secure Development</span></a>
            <a href="/daily-swig/vulnerabilities">
                <span>Vulnerabilities</span></a>
            <a href="/daily-swig/zero-day">
                <span>Zero-day</span></a>
            <a href="/daily-swig/industry-news">
                <span>Industry News</span></a>
            <a href="/daily-swig/network-security">
                <span>Network Security</span></a>
            <a href="/daily-swig/hacking-news">
                <span>Hacking News</span></a>
            <a href="/daily-swig/database-security">
                <span>Database Security</span></a>
            <a href="/daily-swig/cloud-security">
                <span>Cloud Security</span></a>

                </div>
                <div class="post-authorinfo">

<img src="/cms/profiles/jessica-haworth.png" alt="Jessica Haworth"/>
<div class="post-authorinfo-text">
    <p class="post-authorinfo-name">
        <!-- Author Start -->
        <a href="/daily-swig/by/jessica-haworth">Jessica Haworth</a>
        <!-- Author} End -->
    </p>
        <p>
            <a href="https://twitter.com/JesscaHaworth">@JesscaHaworth <span class="icon cmsicon-twitter"></span></a>
        </p>
</div>

                </div>
                

<div class="sharebuttoncontainer is-aftercontent">
    <a href="https://twitter.com/share?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fbackdoor-planted-in-php-git-repository-after-server-hack&text=Backdoor+planted+in+PHP+Git+repository+after+server+hack+%7c+The+Daily+Swig%0A" target="_blank" init-ga-click data-ga-click-label="twitter">
        <span class="share-twitter is-wide">
            <span class="share-icon icon-ps-twitter"></span>
            <span class="share-text">Twitter</span>
        </span>
    </a>
    <a href="https://api.whatsapp.com/send?text=https%3a%2f%2fportswigger.net%2fdaily-swig%2fbackdoor-planted-in-php-git-repository-after-server-hack" target="_blank" init-ga-click data-ga-click-label="whatsapp">
        <span class="share-whatsapp is-wide">
            <span class="share-icon icon-ps-whatsapp"></span>
            <span class="share-text">WhatsApp</span>
        </span>
    </a>
    <a href="https://www.facebook.com/sharer.php?u=https%3a%2f%2fportswigger.net%2fdaily-swig%2fbackdoor-planted-in-php-git-repository-after-server-hack" target="_blank" init-ga-click data-ga-click-label="facebook">
        <span class="share-facebook is-wide">
            <span class="share-icon icon-ps-facebook"></span>
            <span class="share-text">Facebook</span>
        </span>
    </a>
    <a href="https://reddit.com/submit?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fbackdoor-planted-in-php-git-repository-after-server-hack" target="_blank" init-ga-click data-ga-click-label="reddit">
        <span class="share-reddit is-wide">
            <span class="share-icon icon-ps-reddit"></span>
            <span class="share-text">Reddit</span>
        </span>
    </a>
    <a href="https://www.linkedin.com/shareArticle?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fbackdoor-planted-in-php-git-repository-after-server-hack" target="_blank" init-ga-click data-ga-click-label="linkedin">
        <span class="share-linkedin is-wide">
            <span class="share-icon icon-ps-linkedin"></span>
            <span class="share-text">LinkedIn</span>
        </span>
    </a>
    <a href="mailto:?subject=Backdoor+planted+in+PHP+Git+repository+after+server+hack+%7c+The+Daily+Swig&body=Backdoor+planted+in+PHP+Git+repository+after+server+hack+%7c+The+Daily+Swig%0A%0AScripting+language+falls+victim+to+cyber-attack%0A%0Ahttps://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack" init-ga-click data-ga-click-label="email">
        <span class="share-email is-wide">
            <span class="share-icon icon-ps-email"></span>
            <span class="share-text">Email</span>
        </span>
    </a>
</div>
            </div>
        </div>

<div id="widgetcolumn" class="post-widgetcolumn rightcol">
    <noscript>
        <div class="noscript-warning">This page requires JavaScript for an enhanced user experience.</div>
    </noscript>
    <div class="widget-tile-container">
        <div class="widget-title">Latest Posts</div>
        <div class="widget-content">


<a href="/daily-swig/popular-wordpress-platform-flywheel-vulnerable-to-subdomain-takeover-researcher-claims" class="tile-container dailyswig onecolumn widget-tile size0 style1 textstyle6 is-whitebackground" data-backgroundimageurl=/cms/images/b8/d8/c289-tile-211223-wordpress-flywheel-1x1.jpg  data-backgroundcolorid="0">
    
<h3 class="tile-text1 notext2">
        <span class="tile-text-container">Popular WordPress platform Flywheel ‘vulnerable to subdomain takeover’</span>
</h3>
    
<span class="tile-date">23 December 2021</span>
    
<span class="tile-text1-alt">Popular WordPress platform Flywheel ‘vulnerable to subdomain takeover’</span>
        
        <span class="tile-text2-alt">Malicious actors could wreak havoc by impersonating legitimate websites</span>

</a>

<a href="/daily-swig/wireless-coexistence-new-attack-technique-exploits-bluetooth-wifi-performance-features-for-inter-chip-privilege-escalation" class="tile-container dailyswig onecolumn widget-tile size0 style1 textstyle4 is-whitebackground" data-backgroundimageurl=/cms/images/b8/33/8722-tile-211223-bluetooth-2x1.png data-backgroundoverlay data-backgroundcolorid="0">
    
<h3 class="tile-text1 ">
        <span class="tile-text-container">Wireless coexistence</span>
</h3>


    <span class="tile-text2">
            <span class="tile-text-container">New attack technique exploits Bluetooth, WiFi performance features for ‘inter-chip privilege escalation’</span>
    </span>
    
<span class="tile-date">23 December 2021</span>
    
<span class="tile-text1-alt">Wireless coexistence</span>
        
        <span class="tile-text2-alt">New attack technique exploits Bluetooth, WiFi performance features for &#x2018;inter-chip privilege escalation&#x2019;</span>

</a>

<a href="/daily-swig/us-clothing-supplier-pro-wrestling-tees-hit-by-data-breach" class="tile-container dailyswig onecolumn widget-tile size0 style0 textstyle7 is-whitebackground" data-backgroundimageurl=/cms/images/fc/ca/c14f-tile-red-log4j.png  data-backgroundcolorid="0">
    
<h3 class="tile-text1 notext2">
        <span class="tile-text-container">US clothing supplier Pro Wrestling Tees hit by data breach</span>
</h3>
    
<span class="tile-date">23 December 2021</span>
    
<span class="tile-text1-alt">US clothing supplier Pro Wrestling Tees hit by data breach</span>
        
        <span class="tile-text2-alt">Law enforcement alerted company to compromise of payment card info</span>

</a>        </div>
    </div>
</div>    </div>


            <div class="widget-tile">
                <div class="container">
                    <h3 class="text-center charcoal">Related stories</h3>
                    <noscript>
                        <div class="noscript-warning">This page requires JavaScript for an enhanced user experience.</div>
                    </noscript>
                    <div class="widget-tile-container has-1rows margin-top-m">


<a href="/daily-swig/popular-wordpress-platform-flywheel-vulnerable-to-subdomain-takeover-researcher-claims" class="tile-container  onecolumn widget-tile size0 style1 textstyle6 is-whitebackground" data-backgroundimageurl=/cms/images/b8/d8/c289-tile-211223-wordpress-flywheel-1x1.jpg  data-backgroundcolorid="0">
    
<h3 class="tile-text1 notext2">
        <span class="tile-text-container">Popular WordPress platform Flywheel ‘vulnerable to subdomain takeover’</span>
</h3>
    
<span class="tile-date">23 December 2021</span>
    
<span class="tile-text1-alt">Popular WordPress platform Flywheel ‘vulnerable to subdomain takeover’</span>
        
        <span class="tile-text2-alt">Malicious actors could wreak havoc by impersonating legitimate websites</span>

</a>

<a href="/daily-swig/wireless-coexistence-new-attack-technique-exploits-bluetooth-wifi-performance-features-for-inter-chip-privilege-escalation" class="tile-container  onecolumn widget-tile size0 style1 textstyle4 is-whitebackground" data-backgroundimageurl=/cms/images/b8/33/8722-tile-211223-bluetooth-2x1.png data-backgroundoverlay data-backgroundcolorid="0">
    
<h3 class="tile-text1 ">
        <span class="tile-text-container">Wireless coexistence</span>
</h3>


    <span class="tile-text2">
            <span class="tile-text-container">New attack technique exploits Bluetooth, WiFi performance features for ‘inter-chip privilege escalation’</span>
    </span>
    
<span class="tile-date">23 December 2021</span>
    
<span class="tile-text1-alt">Wireless coexistence</span>
        
        <span class="tile-text2-alt">New attack technique exploits Bluetooth, WiFi performance features for &#x2018;inter-chip privilege escalation&#x2019;</span>

</a>

<a href="/daily-swig/us-clothing-supplier-pro-wrestling-tees-hit-by-data-breach" class="tile-container  onecolumn widget-tile size0 style0 textstyle7 is-whitebackground" data-backgroundimageurl=/cms/images/fc/ca/c14f-tile-red-log4j.png  data-backgroundcolorid="0">
    
<h3 class="tile-text1 notext2">
        <span class="tile-text-container">US clothing supplier Pro Wrestling Tees hit by data breach</span>
</h3>
    
<span class="tile-date">23 December 2021</span>
    
<span class="tile-text1-alt">US clothing supplier Pro Wrestling Tees hit by data breach</span>
        
        <span class="tile-text2-alt">Law enforcement alerted company to compromise of payment card info</span>

</a>

<a href="/daily-swig/bug-bounty-platforms-handling-thousands-of-log4j-vulnerability-reports" class="tile-container  onecolumn widget-tile size0 style1 textstyle4 is-whitebackground" data-backgroundimageurl=/cms/images/2a/88/227d-tile-211222-log4j-bug-bounty-1x1.jpg  data-backgroundcolorid="0">
    
<h3 class="tile-text1 ">
        <span class="tile-text-container">Log4Shell bugfest</span>
</h3>


    <span class="tile-text2">
            <span class="tile-text-container">Bug bounty platforms handling thousands of Log4j reports</span>
    </span>
    
<span class="tile-date">22 December 2021</span>
    
<span class="tile-text1-alt">Log4Shell bugfest</span>
        
        <span class="tile-text2-alt">Bug bounty platforms handling thousands of Log4j reports</span>

</a>                    </div>
                </div>
            </div>

</section>


<script type="application/ld+json">
{
  "@context": "http://schema.org",
  "@type": "NewsArticle",
  "author": {
    "@type": "Person",
    "email": "dailyswig@portswigger.net",
    "name": "Jessica Haworth"
  },
  "dateModified": "2021-03-30",
  "datePublished": "2021-03-29",
  "headline": "Backdoor planted in PHP Git repository after server hack",
  "mainEntityOfPage": {
    "@type": "WebPage",
    "@id": "https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack"
  },
  "image":{
    "@type": "ImageObject",
    "url": "https://portswigger.net/cms/images/be/3e/4a50-twittercard-210329-php-body-text-1200.jpg"
  },
  "publisher": {
    "@type": "Organization",
    "logo": {
      "@type": "ImageObject",
      "url": "https://portswigger.net/content/images/logos/dailyswig-logo.jpg"
    },
    "name": "The Daily Swig",
    "url": "https://portswigger.net/daily-swig",
    "sameAs": [
      "https://twitter.com/dailyswig"
    ]
  },
  "url": "https://portswigger.net/daily-swig/backdoor-planted-in-php-git-repository-after-server-hack"
}
</script>

    <script src="/bundles/cms/dailyswig/details.js?v=IDI_vy-Vbaa4WXm-XDgRhh_x__U" nonce="C//gpoUrYVk8XZP3LknxDxvcJoUvrImY"></script>


    <section class="prefootercontainer dailyswig"></section>
    
    <footer class="wrapper">
        <div class="container">
            <div>
                <p>Burp Suite</p>
                <a href="/burp/vulnerability-scanner">Web vulnerability scanner</a>
                <a href="/burp">Burp Suite Editions</a>
                <a href="/burp/releases">Release Notes</a>
            </div>
            <div>
                <p>Vulnerabilities</p>
                <a href="/web-security/cross-site-scripting">Cross-site scripting (XSS)</a>
                <a href="/web-security/sql-injection">SQL injection</a>
                <a href="/web-security/csrf">Cross-site request forgery</a>
                <a href="/web-security/xxe">XML external entity injection</a>
                <a href="/web-security/file-path-traversal">Directory traversal</a>
                <a href="/web-security/ssrf">Server-side request forgery</a>
            </div>
            <div>
                <p>Customers</p>
                <a href="/organizations">Organizations</a>
                <a href="/testers">Testers</a>
                <a href="/developers">Developers</a>
            </div>
            <div>
                <p>Company</p>
                <a href="/about">About</a>
                <a href="/news">PortSwigger News</a>
                <a href="/careers">Careers</a>
                <a href="/about/contact">Contact</a>
                <a href="/legal">Legal</a>
                <a href="/privacy">Privacy Notice</a>
            </div>
            <div>
                <p>Insights</p>
                <a href="/web-security">Web Security Academy</a>
                <a href="/blog">Blog</a>
                <a href="/research">Research</a>
                <a href="/daily-swig">The Daily Swig</a>
            </div>
            <div>
                <a href="/"><img src="/content/images/logos/portswigger-logo.svg" alt="PortSwigger Logo" class="footer-logo"></a>
                <a class="button-outline-blue-small camelcase" href="https://twitter.com/Burp_Suite" rel="noreferrer"><span class="icon-twitter"></span>  Follow us</a>
                <p class="grey">&copy; 2021 PortSwigger Ltd.</p>
            </div>
        </div>
    </footer>
    <a href="#top" class="back-to-top"><svg xmlns="http://www.w3.org/2000/svg" width="26" height="26" viewBox="0 0 26 26"><polygon points="4.07 14.7 5.03 15.78 12.48 9.13 19.94 15.78 20.9 14.7 12.48 7.2 4.07 14.7" fill="#f63" /><path d="M13,0A13,13,0,1,0,26,13,13,13,0,0,0,13,0Zm0,24.56A11.56,11.56,0,1,1,24.56,13,11.58,11.58,0,0,1,13,24.56Z" fill="#f63" /></svg></a>

</body>
</html>